dbfd439ce4
fix: too many FPs
...
with e.g. =select-billing-address and many more
2022-07-27 14:18:29 +02:00
ff6384aabb
Merge pull request #3262 from redsand/improvement_add_additional_useragent
...
Feature improvement to add an additional known user agent seen in the…
2022-07-22 21:07:03 +02:00
3c015a9c78
Feature improvement to add an additional known user agent seen in the wild.
2022-07-21 19:28:10 +00:00
63963a9014
Merge pull request #3254 from nasbench/cve_2022_33891
...
Create web_cve_2022_33891_spark_rce.yml
2022-07-21 18:13:39 +02:00
de4dd20a82
Update web_cve_2022_33891_spark_shell_command_injection.yml
2022-07-21 18:02:44 +02:00
aa79f4a5ee
Update web_cve_2022_33891_spark_shell_command_injection.yml
2022-07-21 15:34:11 +01:00
de68fb244e
Merge pull request #3251 from nasbench/CVE-2014-6287
...
Create web_cve_2014_6287_hfs_rce.yml
2022-07-20 23:24:42 +02:00
a8b283ba5f
Update
2022-07-20 13:40:24 +01:00
4c5929416a
Update web_cve_2014_6287_hfs_rce.yml
2022-07-20 13:26:19 +01:00
776b3ff99c
Update web_susp_useragents.yml
2022-07-20 14:21:41 +02:00
06c9ba2730
Renamed File
2022-07-19 18:38:10 +01:00
32b028fb16
Create web_cve_2022_33891_spark_rce.yml
2022-07-19 17:15:14 +01:00
595af48863
Create web_susp_useragents.yml
2022-07-19 16:26:28 +01:00
982038ebe3
Update web_cve_2014_6287_hfs_rce.yml
2022-07-19 15:27:16 +01:00
8e5e71ea15
Create web_cve_2014_6287_hfs_rce.yml
2022-07-19 15:17:16 +01:00
1392ca1ec5
Fix review
2022-07-11 20:27:42 +01:00
62574e9b0c
Update Ref+Selection 3
2022-07-11 18:12:51 +01:00
238e0ecd7d
Update Ref+Selection
2022-07-11 14:11:53 +01:00
aec95b6d65
Update selections and indentation
2022-07-07 20:13:45 +01:00
10dfd7d063
fix: FP found in webserver logs
2022-06-27 16:46:18 +02:00
f728893364
refactor: rule level adjustments - critical to high
2022-06-18 17:43:22 +02:00
a2d19f3db2
Add FP filter + FP remark
2022-06-15 11:48:15 +01:00
9f0989e49c
Quick typo fix
2022-06-15 11:38:34 +01:00
894f6af09f
Removed double quotes
2022-06-15 11:30:01 +01:00
ee23e653f9
Added "GET" method selection
2022-06-15 11:29:31 +01:00
e42318b0fb
Update web_ssti_in_access_logs.yml
2022-06-14 22:10:09 +01:00
b54df8d9ce
Rename+Update
2022-06-14 21:58:34 +01:00
f527b8eb4c
Rename Web CVE Rules
...
Renamed WEB CVE rules to the format "web_cve_20XX_XXXX_rest_of_name"
2022-06-14 19:22:26 +01:00
00db705ae6
Rename Web Rule
2022-06-14 19:13:15 +01:00
d3d5f4faea
Update web_susp_windows_path_uri.yml
2022-06-07 10:45:06 +02:00
7327dd53e5
New/Update Rules
...
- Renamed "sql_injection_keywords.yml" to "web_sql_injection_keywords.yml" to conform with the rest of the rule in the WEB directory
- Renamed "xss_keywords.yml" to "web_xss_keywords.yml" to conform with the rest of the rule in the WEB directory
- Renamed "proc_create_win_msdt_susp_parent.yml" to "proc_creation_win_msdt_susp_parent.yml" to conform with other process creation rules
- Renamed "proc_create_win_sdiagnhost_susp_child.yml" to "proc_creation_win_sdiagnhost_susp_child.yml" to conform with other process creation rules
- Moved the rule "win_powershell_snapins_hafnium.yml" to process_creation folder instead of the WEB folder
- Created "web_susp_windows_path_uri.yml" to detect URI that contains susp windows paths
- Updated the description "web_webshell_keyword.yml" and added 3 more cases
- Created "file_event_win_cve_2021_44077_poc_default_files.yml" to detect the default dropped file from the POC of CVE-2021-44077 (Showcased in the DFIR report)
- Created "proc_creation_win_renamed_plink.yml" to detect renamed usage of "Plink"
2022-06-06 21:16:52 +01:00
3b4ad16c5f
refactor: new expr from honeypot, increased level
2022-06-06 17:32:08 +02:00
b3d9706014
Update web_java_in_access_log.yml
2022-06-04 15:21:04 +02:00
f4c61c58f6
Update web_java_in_access_log.yml
2022-06-04 13:39:36 +02:00
6af060a91f
Add new string
2022-06-04 10:08:49 +02:00
e886b08755
add web_java_in_access_log
2022-06-04 08:46:14 +02:00
97856b562a
Add "\" to "Image|endswith" modifier
...
- Added the "\\" (backslash) for the "(Parent)Image|endswith" modifiers to avoid possible confusion.
- The modification were mostly done on default windows binaries to avoid changing logic of other rules.
2022-06-02 13:39:07 +01:00
74b9f97b9c
Renamed suspicious in filenames to susp
2022-05-19 09:37:04 +02:00
112b715dd6
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
dbd68bf3f0
chore: test rules: capitalization on FP list entries
...
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.
Fixed the existing rules accordingly
2022-05-09 16:07:44 +02:00
e91fc4486e
refactor: first bigger log source refactoring
...
see discussion here: https://github.com/SigmaHQ/sigma/discussions/2835
2022-03-22 17:58:29 +01:00
84d0c472ba
fix: remove penetration test as valid false positive reason
2022-03-16 14:33:18 +01:00
8d3f8acb60
fix: none --> Unknown
2022-03-16 14:19:21 +01:00
4585133325
fix: remove penetration testing as a valid false positive
2022-03-16 13:51:26 +01:00
b23eee6ebf
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
35d4c8bc69
fix: FPs noticed in THOR testing
2022-02-21 10:15:27 +01:00
e2aa3665af
fix: avoid Microsoft Defender detections
...
We keep the strings as specific as necessary while avoiding Microsoft Defender detections on the rule files
2022-02-06 08:56:54 +01:00
4631d0c482
remove invalid tag
2022-01-19 18:23:30 +01:00
f7e670d55e
Simple Quote
2022-01-11 13:40:53 +01:00
e055ec1d52
refactor: change all " of them" expressions
2022-01-11 10:59:57 +01:00
phantinuss